A new law being implemented by the most populous U.S. state could attract the eyes of FDA as regulators continue to work through guidance on addressing rising cybersecurity threats to medical devices.
California’s connected devices security law, which took effect Jan. 1, requires manufacturers to equip connected devices with “reasonable security” that protects consumers from attackers gaining access to those devices.
While certain medical device makers — including those covered by some federal laws — may be exempt, the California law does explicitly cover a broad range of so-called Internet of Things (IoT) or connected devices, including wearables and connected home health devices, in addition to computers, security cameras, and smart meters.
And experts say the FDA may be watching the law’s implementation as the agency further develops recommendation on medical device cybersecurity.
“The state lawmakers knew, when they were drafting the law, that the FDA had cybersecurity guidance [it is working on] … States are trying to fill the spaces where you don’t have federal cybersecurity regulation,” Richard Borden, a partner at the law firm of White and Williams, told MedTech Dive.
The FDA did not respond to a query as to how the California law could inform its own federal guidance.
Market research firm IDC estimates close to 42 billion connected devices will generate 79.4 zettabytes of data by 2025. And the connected devices market in North America is forecast by Statista to reach $540 billion by 2022, so the economic impact of the new law could be significant as most major connected device manufacturers sell products in California, a state with an economy bigger than many Western nations.
Report after report in recent years has found healthcare organizations vulnerable to cyber criminals, blamed on over-reliance on legacy systems, employees bending rules about security, among other factors.
The law defines a connected device as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
A connected device manufacturer is required to equip the device with a “reasonable security feature” that is “appropriate to the nature and function of the device; appropriate to the information it may collect, contain, or transmit; [and] designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
One key area of uncertainty surrounds the meaning of “reasonable security feature,” according to Daniel Pepper, partner at the law firm of BakerHostetler.
In addition, “there is still some question as to what the rest of the requirements will need to be to ‘protect the device and any information within from unauthorized access, destruction, use, modification, or disclosure’,” he told MedTech Dive.